diff options
-rw-r--r-- | abs/core/libtiff/CVE-2006-3459-3465.patch | 669 | ||||
-rw-r--r-- | abs/core/libtiff/ChangeLog | 35 | ||||
-rw-r--r-- | abs/core/libtiff/PKGBUILD | 31 | ||||
-rw-r--r-- | abs/core/libtiff/libtiff-CVE-2009-2285.patch | 22 | ||||
-rw-r--r-- | abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch | 64 | ||||
-rw-r--r-- | abs/core/libtiff/tiff2pdf-compression.patch | 44 | ||||
-rw-r--r-- | abs/core/libtiff/tiff2pdf-octal-printf.patch | 11 | ||||
-rw-r--r-- | abs/core/libtiff/tiffsplit-fname-overflow.patch | 19 |
8 files changed, 16 insertions, 879 deletions
diff --git a/abs/core/libtiff/CVE-2006-3459-3465.patch b/abs/core/libtiff/CVE-2006-3459-3465.patch deleted file mode 100644 index cb55b03..0000000 --- a/abs/core/libtiff/CVE-2006-3459-3465.patch +++ /dev/null @@ -1,669 +0,0 @@ -diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c ---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 -@@ -122,6 +122,7 @@ - { - static const char module[] = "_TIFFVSetField"; - -+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); - TIFFDirectory* td = &tif->tif_dir; - int status = 1; - uint32 v32, i, v; -@@ -195,10 +196,12 @@ - break; - case TIFFTAG_ORIENTATION: - v = va_arg(ap, uint32); -+ const TIFFFieldInfo* fip; - if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { -+ fip = _TIFFFieldWithTag(tif, tag); - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "Bad value %lu for \"%s\" tag ignored", -- v, _TIFFFieldWithTag(tif, tag)->field_name); -+ v, fip ? fip->field_name : "Unknown"); - } else - td->td_orientation = (uint16) v; - break; -@@ -387,11 +390,15 @@ - * happens, for example, when tiffcp is used to convert between - * compression schemes and codec-specific tags are blindly copied. - */ -+ /* -+ * better not dereference fip if it is NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { - TIFFErrorExt(tif->tif_clientdata, module, - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - status = 0; - break; - } -@@ -468,7 +475,7 @@ - if (fip->field_type == TIFF_ASCII) - _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); - else { -- tv->value = _TIFFmalloc(tv_size * tv->count); -+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); - if (!tv->value) { - status = 0; - goto end; -@@ -563,7 +570,7 @@ - } - } - if (status) { -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ TIFFSetFieldBit(tif, fip->field_bit); - tif->tif_flags |= TIFF_DIRTYDIRECT; - } - -@@ -572,12 +579,12 @@ - return (status); - badvalue: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", -- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - badvalue32: - TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", -- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); -+ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); - va_end(ap); - return (0); - } -@@ -813,12 +820,16 @@ - * If the client tries to get a tag that is not valid - * for the image's codec then we'll arrive here. - */ -+ /* -+ * dont dereference fip if it's NULL. -+ * -- taviso@google.com 15 Jun 2006 -+ */ - if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) - { - TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", - "%s: Invalid %stag \"%s\" (not supported by codec)", - tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", -- _TIFFFieldWithTag(tif, tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - ret_val = 0; - break; - } -diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c ---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 -@@ -775,7 +775,8 @@ - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", - "Internal error, unknown tag 0x%x", - (unsigned int) tag); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -@@ -789,7 +790,8 @@ - if (!fip) { - TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", - "Internal error, unknown tag %s", field_name); -- assert(fip != NULL); -+ /* assert(fip != NULL); */ -+ - /*NOTREACHED*/ - } - return (fip); -diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c ---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 -@@ -29,6 +29,9 @@ - * - * Directory Read Support Routines. - */ -+ -+#include <limits.h> -+ - #include "tiffiop.h" - - #define IGNORE 0 /* tag placeholder used below */ -@@ -81,6 +84,7 @@ - uint16 dircount; - toff_t nextdiroff; - int diroutoforderwarning = 0; -+ int compressionknown = 0; - toff_t* new_dirlist; - - tif->tif_diroff = tif->tif_nextdiroff; -@@ -147,13 +151,20 @@ - } else { - toff_t off = tif->tif_diroff; - -- if (off + sizeof (uint16) > tif->tif_size) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "%s: Can not read TIFF directory count", -- tif->tif_name); -- return (0); -+ /* -+ * Check for integer overflow when validating the dir_off, otherwise -+ * a very high offset may cause an OOB read and crash the client. -+ * -- taviso@google.com, 14 Jun 2006. -+ */ -+ if (off + sizeof (uint16) > tif->tif_size || -+ off > (UINT_MAX - sizeof(uint16))) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "%s: Can not read TIFF directory count", -+ tif->tif_name); -+ return (0); - } else -- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); -+ _TIFFmemcpy(&dircount, tif->tif_base + off, -+ sizeof (uint16)); - off += sizeof (uint16); - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabShort(&dircount); -@@ -254,6 +265,7 @@ - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; -+ - if (fix >= tif->tif_nfields || - tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { - -@@ -264,17 +276,23 @@ - dp->tdir_tag, - dp->tdir_tag, - dp->tdir_type); -- -- TIFFMergeFieldInfo(tif, -- _TIFFCreateAnonFieldInfo(tif, -- dp->tdir_tag, -- (TIFFDataType) dp->tdir_type), -- 1 ); -+ /* -+ * creating anonymous fields prior to knowing the compression -+ * algorithm (ie, when the field info has been merged) could cause -+ * crashes with pathological directories. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (compressionknown) -+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, -+ (TIFFDataType) dp->tdir_type), 1 ); -+ else goto ignore; -+ - fix = 0; - while (fix < tif->tif_nfields && - tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) - fix++; - } -+ - /* - * Null out old tags that we ignore. - */ -@@ -326,6 +344,7 @@ - dp->tdir_type, dp->tdir_offset); - if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) - goto bad; -+ else compressionknown++; - break; - /* XXX: workaround for broken TIFFs */ - } else if (dp->tdir_type == TIFF_LONG) { -@@ -540,6 +559,7 @@ - * Attempt to deal with a missing StripByteCounts tag. - */ - if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * Some manufacturers violate the spec by not giving - * the size of the strips. In this case, assume there -@@ -556,7 +576,7 @@ - "%s: TIFF directory is missing required " - "\"%s\" field, calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - /* -@@ -580,6 +600,7 @@ - } else if (td->td_nstrips == 1 - && td->td_stripoffset[0] != 0 - && BYTECOUNTLOOKSBAD) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Plexus (and others) sometimes give a value of zero for - * a tag when they don't know what the correct value is! Try -@@ -589,13 +610,14 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if(EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } else if (td->td_planarconfig == PLANARCONFIG_CONTIG - && td->td_nstrips > 2 - && td->td_compression == COMPRESSION_NONE - && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); - /* - * XXX: Some vendors fill StripByteCount array with absolutely - * wrong values (it can be equal to StripOffset array, for -@@ -604,7 +626,7 @@ - TIFFWarningExt(tif->tif_clientdata, module, - "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", - tif->tif_name, -- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); -+ fip ? fip->field_name : "Unknown"); - if (EstimateStripByteCounts(tif, dir, dircount) < 0) - goto bad; - } -@@ -870,7 +892,13 @@ - - register TIFFDirEntry *dp; - register TIFFDirectory *td = &tif->tif_dir; -- uint16 i; -+ -+ /* i is used to iterate over td->td_nstrips, so must be -+ * at least the same width. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ -+ uint32 i; - - if (td->td_stripbytecount) - _TIFFfree(td->td_stripbytecount); -@@ -947,16 +975,18 @@ - static int - CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) - { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ - if (count > dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (0); - } else if (count < dir->tdir_count) { - TIFFWarningExt(tif->tif_clientdata, tif->tif_name, - "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, -+ fip ? fip->field_name : "Unknown", - dir->tdir_count, count); - return (1); - } -@@ -970,6 +1000,7 @@ - TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) - { - int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - tsize_t cc = dir->tdir_count * w; - - /* Check for overflow. */ -@@ -1013,7 +1044,7 @@ - bad: - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Error fetching data for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - return (tsize_t) 0; - } - -@@ -1039,10 +1070,12 @@ - static int - cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) - { -+ const TIFFFieldInfo* fip; - if (denom == 0) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "%s: Rational with zero denominator (num = %lu)", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); -+ fip ? fip->field_name : "Unknown", num); - return (0); - } else { - if (dir->tdir_type == TIFF_RATIONAL) -@@ -1159,6 +1192,20 @@ - static int - TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) - { -+ /* -+ * Prevent overflowing the v stack arrays below by performing a sanity -+ * check on tdir_count, this should never be greater than two. -+ * -- taviso@google.com 14 Jun 2006. -+ */ -+ if (dir->tdir_count > 2) { -+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); -+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, -+ "unexpected count for field \"%s\", %lu, expected 2; ignored.", -+ fip ? fip->field_name : "Unknown", -+ dir->tdir_count); -+ return 0; -+ } -+ - switch (dir->tdir_type) { - case TIFF_BYTE: - case TIFF_SBYTE: -@@ -1329,14 +1376,15 @@ - case TIFF_DOUBLE: - return (TIFFFetchDoubleArray(tif, dir, (double*) v)); - default: -+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - /* TIFF_NOTYPE */ - /* TIFF_ASCII */ - /* TIFF_UNDEFINED */ - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "cannot read TIFF_ANY type %d for field \"%s\"", - dir->tdir_type, -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -- return (0); -+ fip ? fip->field_name : "Unknown"); -+ return (0); } - } - return (1); - } -@@ -1351,6 +1399,9 @@ - int ok = 0; - const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); - -+ if (fip == NULL) { -+ return (0); -+ } - if (dp->tdir_count > 1) { /* array of values */ - char* cp = NULL; - -@@ -1493,6 +1544,7 @@ - TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1510,9 +1562,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1534,6 +1587,7 @@ - TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1551,9 +1605,10 @@ - check_count = samples; - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -@@ -1574,6 +1629,7 @@ - TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) - { - uint16 samples = tif->tif_dir.td_samplesperpixel; -+ const TIFFFieldInfo* fip; - int status = 0; - - if (CheckDirCount(tif, dir, (uint32) samples)) { -@@ -1591,9 +1647,10 @@ - - for (i = 1; i < check_count; i++) - if (v[i] != v[0]) { -+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "Cannot handle different per-sample values for field \"%s\"", -- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); -+ fip ? fip->field_name : "Unknown"); - goto bad; - } - *pl = v[0]; -diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c ---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 -@@ -1136,6 +1136,7 @@ - Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) - { - Fax3BaseState* sp = Fax3State(tif); -+ const TIFFFieldInfo* fip; - - assert(sp != 0); - assert(sp->vsetparent != 0); -@@ -1181,7 +1182,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c ---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 -@@ -722,15 +722,31 @@ - segment_width = TIFFhowmany(segment_width, sp->h_sampling); - segment_height = TIFFhowmany(segment_height, sp->v_sampling); - } -- if (sp->cinfo.d.image_width != segment_width || -- sp->cinfo.d.image_height != segment_height) { -+ if (sp->cinfo.d.image_width < segment_width || -+ sp->cinfo.d.image_height < segment_height) { - TIFFWarningExt(tif->tif_clientdata, module, - "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", - segment_width, - segment_height, - sp->cinfo.d.image_width, - sp->cinfo.d.image_height); -+ } -+ -+ if (sp->cinfo.d.image_width > segment_width || -+ sp->cinfo.d.image_height > segment_height) { -+ /* -+ * This case could be dangerous, if the strip or tile size has been -+ * reported as less than the amount of data jpeg will return, some -+ * potential security issues arise. Catch this case and error out. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "JPEG strip/tile size exceeds expected dimensions," -+ "expected %dx%d, got %dx%d", segment_width, segment_height, -+ sp->cinfo.d.image_width, sp->cinfo.d.image_height); -+ return (0); - } -+ - if (sp->cinfo.d.num_components != - (td->td_planarconfig == PLANARCONFIG_CONTIG ? - td->td_samplesperpixel : 1)) { -@@ -761,6 +777,22 @@ - sp->cinfo.d.comp_info[0].v_samp_factor, - sp->h_sampling, sp->v_sampling); - -+ /* -+ * There are potential security issues here for decoders that -+ * have already allocated buffers based on the expected sampling -+ * factors. Lets check the sampling factors dont exceed what -+ * we were expecting. -+ * -- taviso@google.com 14 June 2006 -+ */ -+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || -+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Cannot honour JPEG sampling factors that" -+ " exceed those specified."); -+ return (0); -+ } -+ -+ - /* - * XXX: Files written by the Intergraph software - * has different sampling factors stored in the -@@ -1521,15 +1553,18 @@ - { - JPEGState *sp = JState(tif); - -- assert(sp != 0); -+ /* assert(sp != 0); */ - - tif->tif_tagmethods.vgetfield = sp->vgetparent; - tif->tif_tagmethods.vsetfield = sp->vsetparent; - -- if( sp->cinfo_initialized ) -- TIFFjpeg_destroy(sp); /* release libjpeg resources */ -- if (sp->jpegtables) /* tag value */ -- _TIFFfree(sp->jpegtables); -+ if (sp != NULL) { -+ if( sp->cinfo_initialized ) -+ TIFFjpeg_destroy(sp); /* release libjpeg resources */ -+ if (sp->jpegtables) /* tag value */ -+ _TIFFfree(sp->jpegtables); -+ } -+ - _TIFFfree(tif->tif_data); /* release local state */ - tif->tif_data = NULL; - -@@ -1541,6 +1576,7 @@ - { - JPEGState* sp = JState(tif); - TIFFDirectory* td = &tif->tif_dir; -+ const TIFFFieldInfo* fip; - uint32 v32; - - assert(sp != NULL); -@@ -1606,7 +1642,13 @@ - default: - return (*sp->vsetparent)(tif, tag, ap); - } -- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); -+ -+ if ((fip = _TIFFFieldWithTag(tif, tag))) { -+ TIFFSetFieldBit(tif, fip->field_bit); -+ } else { -+ return (0); -+ } -+ - tif->tif_flags |= TIFF_DIRTYDIRECT; - return (1); - } -@@ -1726,7 +1768,11 @@ - { - JPEGState* sp = JState(tif); - -- assert(sp != NULL); -+ /* assert(sp != NULL); */ -+ if (sp == NULL) { -+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); -+ return; -+ } - - (void) flags; - if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) -diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c ---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 -@@ -105,11 +105,16 @@ - * as codes of the form <color><npixels> - * until we've filled the scanline. - */ -+ /* -+ * Ensure the run does not exceed the scanline -+ * bounds, potentially resulting in a security issue. -+ * -- taviso@google.com 14 Jun 2006. -+ */ - op = row; - for (;;) { - grey = (n>>6) & 0x3; - n &= 0x3f; -- while (n-- > 0) -+ while (n-- > 0 && npixels < imagewidth) - SETPIXEL(op, grey); - if (npixels >= (int) imagewidth) - break; -diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c ---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 -@@ -768,7 +768,19 @@ - if (tif->tif_flags & TIFF_SWAB) - TIFFSwabArrayOfShort(up, nsamples); - -- for (i = 0; i < nsamples; i += llen, up += llen) { -+ /* -+ * if llen is not an exact multiple of nsamples, the decode operation -+ * may overflow the output buffer, so truncate it enough to prevent that -+ * but still salvage as much data as possible. -+ * -- taviso@google.com 14th June 2006 -+ */ -+ if (nsamples % llen) -+ TIFFWarningExt(tif->tif_clientdata, module, -+ "%s: stride %lu is not a multiple of sample count, " -+ "%lu, data truncated.", tif->tif_name, llen, nsamples); -+ -+ -+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { - switch (sp->user_datafmt) { - case PIXARLOGDATAFMT_FLOAT: - horizontalAccumulateF(up, llen, sp->stride, -diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c ---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 -+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 -@@ -31,6 +31,8 @@ - #include "tiffiop.h" - #include <stdio.h> - -+#include <limits.h> -+ - int TIFFFillStrip(TIFF*, tstrip_t); - int TIFFFillTile(TIFF*, ttile_t); - static int TIFFStartStrip(TIFF*, tstrip_t); -@@ -272,7 +274,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { -+ /* -+ * This sanity check could potentially overflow, causing an OOB read. -+ * verify that offset + bytecount is > offset. -+ * -- taviso@google.com 14 Jun 2006 -+ */ -+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { - /* - * This error message might seem strange, but it's - * what would happen if a read were done instead. -@@ -470,7 +478,13 @@ - if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) - _TIFFfree(tif->tif_rawdata); - tif->tif_flags &= ~TIFF_MYBUFFER; -- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { -+ /* -+ * We must check this calculation doesnt overflow, potentially -+ * causing an OOB read. -+ * -- taviso@google.com 15 Jun 2006 -+ */ -+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || -+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { - tif->tif_curtile = NOTILE; - return (0); - } diff --git a/abs/core/libtiff/ChangeLog b/abs/core/libtiff/ChangeLog deleted file mode 100644 index 88edcc7..0000000 --- a/abs/core/libtiff/ChangeLog +++ /dev/null @@ -1,35 +0,0 @@ -2010-06-20 Eric Belanger <eric@archlinux.org> - - * libtiff 3.9.4-1 - * Upstream update - -2009-11-05 Eric Belanger <eric@archlinux.org> - - * libtiff 3.9.2-1 - * Upstream update - -2009-08-28 Eric Belanger <eric@archlinux.org> - - * libtiff 3.9.1-1 - * Upstream update - -2009-08-26 Eric Belanger <eric@archlinux.org> - - * libtiff 3.9.0-1 - * Upstream update - * Updated url - * Updated patches - -2009-08-14 Eric Belanger <eric@archlinux.org> - - * libtiff 3.8.2-6 - * Added security fixes (close FS#15931) - -2008-09-05 Eric Belanger <eric@archlinux.org> - - * libtiff 3.8.2-4 - * Applied patch to fix buffer underflow in LZW decoding (tiff-3.8.2-CVE-2008-2327.patch) - * Added license - * Added freeglut optdepends - * FHS man pages - * Added ChangeLog diff --git a/abs/core/libtiff/PKGBUILD b/abs/core/libtiff/PKGBUILD index ed80a2b..2606aa1 100644 --- a/abs/core/libtiff/PKGBUILD +++ b/abs/core/libtiff/PKGBUILD @@ -1,32 +1,33 @@ -# $Id: PKGBUILD 83314 2010-06-20 21:43:27Z eric $ -# Maintainer: Eric Belanger <eric@archlinux.org> -# Contributor: dorphell <dorphell@archlinux.org> +# $Id: PKGBUILD 162307 2012-06-24 20:44:52Z eric $ +# Maintainer: Eric BĂ©langer <eric@archlinux.org> pkgname=libtiff -pkgver=3.9.4 +pkgver=4.0.2 pkgrel=1 pkgdesc="Library for manipulation of TIFF images" arch=('i686' 'x86_64') url="http://www.remotesensing.org/libtiff/" license=('custom') -depends=('libjpeg' 'zlib') -makedepends=('libgl' 'freeglut' 'libxmu' 'libxi') +depends=('libjpeg' 'zlib' 'xz') +makedepends=('freeglut') optdepends=('freeglut: for using tiffgt') options=('!libtool') -source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-${pkgver}.tar.gz \ - libtiff-CVE-2009-2285.patch) -md5sums=('2006c1bdd12644dbf02956955175afd6' 'ff61077408727a82281f77a94f555e2a') -sha1sums=('a4e32d55afbbcabd0391a9c89995e8e8a19961de' 'eadce8c8bd72ea9c74f35300bf299131813b0c8b') +source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-${pkgver}.tar.gz) +sha1sums=('d84b7b33a6cfb3d15ca386c8c16b05047f8b5352') build() { cd "${srcdir}/tiff-${pkgver}" - patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1 - ./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man || return 1 - make || return 1 + ./configure --prefix=/usr + make +} + +check() { + cd "${srcdir}/tiff-${pkgver}" + make check } package() { cd "${srcdir}/tiff-${pkgver}" - make DESTDIR="${pkgdir}" install || return 1 - install -D -m644 COPYRIGHT "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" || return 1 + make DESTDIR="${pkgdir}" install + install -D -m644 COPYRIGHT "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" } diff --git a/abs/core/libtiff/libtiff-CVE-2009-2285.patch b/abs/core/libtiff/libtiff-CVE-2009-2285.patch deleted file mode 100644 index 435a84b..0000000 --- a/abs/core/libtiff/libtiff-CVE-2009-2285.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: tiff-3.8.2/libtiff/tif_lzw.c -=================================================================== ---- tiff-3.8.2.orig/libtiff/tif_lzw.c -+++ tiff-3.8.2/libtiff/tif_lzw.c -@@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -- if (code == CODE_CLEAR) { -+ if (code >= CODE_CLEAR) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "LZWDecode: Corrupted LZW table at scanline %d", - tif->tif_row); -@@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -- if (code == CODE_CLEAR) { -+ if (code >= CODE_CLEAR) { - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, - "LZWDecode: Corrupted LZW table at scanline %d", - tif->tif_row); diff --git a/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch b/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch deleted file mode 100644 index e6d74a6..0000000 --- a/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch +++ /dev/null @@ -1,64 +0,0 @@ -Fixes security issues in libTIFF's handling of LZW-encoded -images. The use of uninitialized data could lead to a buffer -underflow and a crash or arbitrary code execution. - -CVE-ID: CVE-2008-2327 -Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080 - -Index: tiff-3.8.2/libtiff/tif_lzw.c -=================================================================== ---- tiff-3.8.2.orig/libtiff/tif_lzw.c -+++ tiff-3.8.2/libtiff/tif_lzw.c -@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif) - sp->dec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); -+ /* -+ * Zero-out the unused entries -+ */ -+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); -+ - } - return (1); - } -@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask-1; - NextCode(tif, sp, bp, code, GetNextCode); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = (char)code, occ--; - oldcodep = sp->dec_codetab + code; - continue; -@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0, - break; - if (code == CODE_CLEAR) { - free_entp = sp->dec_codetab + CODE_FIRST; -+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; - NextCode(tif, sp, bp, code, GetNextCodeCompat); - if (code == CODE_EOI) - break; -+ if (code == CODE_CLEAR) { -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -+ "LZWDecode: Corrupted LZW table at scanline %d", -+ tif->tif_row); -+ return (0); -+ } - *op++ = code, occ--; - oldcodep = sp->dec_codetab + code; - continue; diff --git a/abs/core/libtiff/tiff2pdf-compression.patch b/abs/core/libtiff/tiff2pdf-compression.patch deleted file mode 100644 index 2dae2dc..0000000 --- a/abs/core/libtiff/tiff2pdf-compression.patch +++ /dev/null @@ -1,44 +0,0 @@ ---- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35 -+++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36 -@@ -937,7 +937,7 @@ - - #ifdef JPEG_SUPPORT - if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){ -- if(t2p->pdf_defaultcompressionquality<100 || -+ if(t2p->pdf_defaultcompressionquality>100 || - t2p->pdf_defaultcompressionquality<1){ - t2p->pdf_defaultcompressionquality=0; - } -@@ -945,25 +945,17 @@ - #endif - #ifdef ZIP_SUPPORT - if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){ -- switch (t2p->pdf_defaultcompressionquality){ -- case 1: case 10: case 11: case 12: case 13: case 14: case 15: -- case 101: case 110: case 111: case 112: case 113: case 114: case 115: -- case 201: case 210: case 211: case 212: case 213: case 214: case 215: -- case 301: case 310: case 311: case 312: case 313: case 314: case 315: -- case 401: case 410: case 411: case 412: case 413: case 414: case 415: -- case 501: case 510: case 511: case 512: case 513: case 514: case 515: -- case 601: case 610: case 611: case 612: case 613: case 614: case 615: -- case 701: case 710: case 711: case 712: case 713: case 714: case 715: -- case 801: case 810: case 811: case 812: case 813: case 814: case 815: -- case 901: case 910: case 911: case 912: case 913: case 914: case 915: -- break; -- default: -- t2p->pdf_defaultcompressionquality=0; -+ uint16 m=t2p->pdf_defaultcompressionquality%100; -+ if(t2p->pdf_defaultcompressionquality/100 > 9 || -+ (m>1 && m<10) || m>15){ -+ t2p->pdf_defaultcompressionquality=0; - } - if(t2p->pdf_defaultcompressionquality%100 !=0){ -+ t2p->pdf_defaultcompressionquality/=100; -+ t2p->pdf_defaultcompressionquality*=100; - TIFFError( - TIFF2PDF_MODULE, -- "PNG Group predictor differencing not implemented, assuming compresion quality %u", -+ "PNG Group predictor differencing not implemented, assuming compression quality %u", - t2p->pdf_defaultcompressionquality); - } - t2p->pdf_defaultcompressionquality%=100; diff --git a/abs/core/libtiff/tiff2pdf-octal-printf.patch b/abs/core/libtiff/tiff2pdf-octal-printf.patch deleted file mode 100644 index f35b072..0000000 --- a/abs/core/libtiff/tiff2pdf-octal-printf.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500 -+++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400 -@@ -3668,7 +3668,7 @@ - written += TIFFWriteFile(output, (tdata_t) "(", 1); - for (i=0;i<len;i++){ - if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){ -- sprintf(buffer, "\\%.3o", pdfstr[i]); -+ sprintf(buffer, "\\%.3hho", pdfstr[i]); - written += TIFFWriteFile(output, (tdata_t) buffer, 4); - } else { - switch (pdfstr[i]){ diff --git a/abs/core/libtiff/tiffsplit-fname-overflow.patch b/abs/core/libtiff/tiffsplit-fname-overflow.patch deleted file mode 100644 index cc22589..0000000 --- a/abs/core/libtiff/tiffsplit-fname-overflow.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500 -+++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400 -@@ -61,14 +61,13 @@ - return (-3); - } - if (argc > 2) -- strcpy(fname, argv[2]); -+ snprintf(fname, sizeof(fname), "%s", argv[2]); - in = TIFFOpen(argv[1], "r"); - if (in != NULL) { - do { - char path[1024+1]; - newfilename(); -- strcpy(path, fname); -- strcat(path, ".tif"); -+ snprintf(path, sizeof(path), "%s.tif", fname); - out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); - if (out == NULL) - return (-2); |